Testing the AS

From GEANT2-JRA1 Wiki

Contents 1 General Testing Instructions 2 Testing the Authentication Service(AS) 2.1 eduGAINed Test Tool 2.1.1 Download 2.1.2 Test 2.1.3 How to use eduGAINed ASTest 2.1.4 How to use eduGAINed ClientTest

General Testing Instructions

An introduction to Functional testing can be found here. Also take a look at a tutorial in using soapUI and Groovy.

The steps when performing functional testing can be summarized in the following:

• 1) Define the tests you are going to conduct in a Testing Specifications Document(A template of the document is found here)
• 2)Send the document to Michalis Michael, and cc the Release Management Team(Luis Marta and Loukik Koudarimoti) and the developer of the service( in this case Candido Rodriguez)
• 3) You can install the service and start building the tests on soapUI, but you may be required to modify or add more tests, if the tests

defined in the Testing Specifications document are not considered adequate enough.

• 4)When the first Release Candidate of the service is made available, you will install the RC and perform your previously developed tests to the service
• 5) Then you will be required to pass the results of the tests back to the developer of the service, the release management team and report any problems to bugzillaBugzilla_details
• 6) You will perform the previous actions until the Release Management Team judges that the service has reached a satisfactory level.

Testing the Authentication Service(AS)

Information about the AS can be found here and information and examples about the Authentication request here

A brief summary about AS Testing.

The Authentication Service is the service that will be used for providing authentication within the perfSONAR framework. To generalize things a little bit, the authentication process can be separated in two parts:

• Communication between the client(stand alone client or in a web container) and the perfSONAR service
• Communication between the perfSONAR service and the AS

For the first case the client inserts a security token into the soap Header of the request it sends to the perfSONAR service. What we need to test in this part is that the authorization process is done as expected. That is if a valid security token is used then the service will accept the client request. What is needed to be done is to use Candido's libraries to get a security token, manipulate the token if necessary(i.e change it in order to become invalid), and then insert it to the request that the client is going to send to the service. This is required to be done inside soapUI. In order to do this you will have to use Groovy(A scripting language based on Java) in order to use Candido's Java libraries. You will need to place this Groovy script inside a groovy script assertion in soapUI and also use soapUI API to insert the security token inside the soap header of a request. The Groovy assertion that will be created will be re-used from all testers for testing authorization procedures for all services .

For the second case what needs to be tested is the actual communication between the perfSONAR service and the AS, that is the authentication request. You will need to verify that the AS responds according to specifications and that it complies with the schema description.

Examples of tests developed on soapUI can be found here. The CL MP tests are probably the best for an example.

Please read the documents provided in the first section before starting to test. For any question feel free to contact me(Michalis Michael) by mail mikem at ucy.ac.cy or by skype michalis.michael82, or by phone . You can reach the developer of the service (Candido Rodriguez) by jabber at kan at im.rediris.es .

eduGAINed Test Tool

Since security tokens contains timestamp information and their values are evaluated and validated in the AS, it cannot be possible copying valid SOAP headers into files used by SOAPui.

Due to this problem, it has been developed this tool, which it's really helpful for generating quickly any perfSONAR message with valid security tokens.

There are two servlets in this tool:

• eduGAINed ASTest: it generates valid SOAP header and envelope for AC, UbC and WE profiles writting the perfSONAR message you want to send to a perfSONAR service. It's protected by the EduGAINFilter so you need to have a valid account in eduGAIN in order to use it.
• eduGAINed ClientTest: it sends a SOAP envelope to a perfSONAR service.

Download

There is a WAR file available here for download.

Also, you can download the source code in the SVN.

Test

It is recommended that you deploy this tool in a Tomcat, so you can configure it and put a pair of valid private and public keys.

However, a test installation has been deployed and you can reach:

• eduGAINed ASTest: http://homer.rediris.es:8080/TestTool/eduGAINed_ASTest
• eduGAINed ClientTest: http://homer.rediris.es:8080/TestTool/eduGAINed_ClientTest

This installation could have not valid keys one day, so maybe you prefer to install it for you.

How to use eduGAINed ASTest

First, as this servlet is protected by the EduGAINFilter, we have to choose our IdP (normally the GIdP_prod one):

We can use this servlet in order to get valid SOAP header and envelop for a perfSONAR messsage, but containing authN information. If there is no pre-defined perfSONAR message, we have to write the message that we want to send. Also, we can see the configuration of the tool and which attributes we're receiving from the EduGAINFilter:

For example, if we want to send an authN request based on SAML assertion, we can use the next messsage:

<nmwg:message id="authNMessage1" type="AuthNEERequest" xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/">
  <nmwg:metadata id="authNMetadata">
    <nmwg:parameters id="keys">
      <nmwg:parameter name="SecurityToken">
        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
      </nmwg:parameter>
    </nmwg:parameters>
  </nmwg:metadata>
  <nmwg:data id="authN1" metadataIdRef="authNMetadata"/>
</nmwg:message>

Then, if we click on the button 'Accept', it generates:

• SOAP header for AC & UbC profiles
• SOAP envelope for AC & UbC profiles
• SOAP header for WE profile
• SOAP envelope for WE profile

How to use eduGAINed ClientTest

This servlet is NOT protected by the EduGAINFilter so you can use it when you want. It only sends to an end point a SOAP envelope.

So, you only need to copy the SOAP envelope of AC & UbC profiles or of the WE profile. Just don't forget not copy the first line <?xml version="1.0" encoding="UTF-8"?>

You see after click on the button the response from the service: